The culture of (cyber)ribbon cutting in Poland
Poland has a long standing culture of ribbon cutting ceremonies. Whether it’s a new street, couple of kilometres of a highway or a new server room in a secret government building (really!) the ceremonial cutting of an appropriately coloured ribbon is a key to success. Obviously, this had to be extended to the cybersecurity space.
Almost a year ago I got a call from my mother asking, in a rather surprised have-you-lied-to-me tone, whether I really did work for CERT.pl. I was equally surprised that she didn’t believe me, but I responded truthfully that I really did and it wasn’t a cover-up for some other nefarious activities.
Why do you ask?
Well, I was just listening to the radio and they said that a new National CERT was opened today by the Minister for Digital Affairs.
Ah, yes, the good old ribbon cutting. You see, new government wanted to do something in the cybersecurity area so they figured that they will open something new, which was almost the same as the old one, just new. Ministry for Digital Affairs decided that they will take over the .pl registry and create a National Cybersecurity Centre, which, as far I understand the concept, is composed of two already existing, highly skilled teams (CERT.pl and Dyżurnet) and then an additional, new 24/7 SOC team, because SOCs are cool.
This whole new creation is called NC Cyber and, in their own corp-speak words, “as an early warning center NC Cyber operating on a 24/7 basis, 365 days a year monitors network-related threats and manages the exchange of related information.” Ribbon cutting happened almost a year ago and since then nothing really came out of it, apart from even more paperwork that outlined a plan for several new ribbon cutting ceremonies.
Lately, however, Polish banking sector fell a victim to a somewhat sophisticated targeted attack. This was a chance for NC Cyber to shine! The very first highly visible attack that required an information exchange and network-related threat monitoring. Even at the very least, call a meeting, an action plan, then create an after-action report and share it with everyone so that all parties involved could implement recommendations. You know, the whole shebang.
As you can guess, this chance was wasted, but even more than that it seemed that NC Cyber didn’t want to be included at all. Banks shared some samples, reports and information in a very informal way via e-mails or with a help from third parties. NC Cyber was left out and it seems that it didn’t even want to be included in any capacity. Of course, CERT.pl acted responsibly and fast, taking the same actions it would before the ribbon cutting ceremonies made its way to the cybersecurity. However, this situation still begs for a question: was that ribbon cutting necessary if it didn’t alter the status quo? And what’s the NC Cyber response to all of that?
As one person once told me: “it’s important to do something, anything just to create an illusion of going forward”. By creating National CERT government can feel good about themselves and pat everyone’s back. Since cybersecurity is such a complex and rather technical matter it’s easy to sweep things under the rug, or produce a lot of paperwork and say that you did a good job.
Using the words like “synergy” and “partnership” and “strategizing” and “creating a vision for years 2016–2019” (yes, it’s 2017) you create an appearance that something is happening. There’s really no one that would ask specifics, because people who are interested in the specifics know that it’s all a castle in the sky and everyone else sees flashy ribbons and huge scissors. It’s been almost a year and it’s time to act now.
All in all, targeted attack incident response revealed that when you look past the wall of paperwork the king is, in fact, naked. But that didn’t stop making the wall even higher, with new strategies being published any moment now, just to convince everyone not to look past it. To paraphrase one of the famous sayings: “ribbon cutting will continue until security improves”.
